A four-lawyer practice in Ontario opens Outlook on a Monday morning. Every email since Friday returns an error. A note pinned to the accounts payable folder demands 12 bitcoin, payable within 72 hours, or the case files land on a public leak site. The senior partner calls the Law Society before calling the RCMP.
What the firm does not know that morning: the attackers have been inside for 47 days.
During those 47 days the attackers read a corporate board dispute in discovery, a $6 million matrimonial settlement negotiation, defence strategy for a serious personal-injury case, four will contests, drafts of a partnership dissolution, and confidential retainer correspondence for approximately 340 active matters. All of that material was copied to an attacker-controlled server before the ransom message arrived. The ransom is the last step of the operation, not the first.
The industry response to small-firm ransomware has settled on two controls: multi-factor authentication on email accounts, and daily encrypted backups of the file server. Both are reasonable. Neither addresses the fact that in the operation described above, the confidentiality breach happened on day one of the 47-day window, not day 47.
Why "MFA and backups" misses this
Backups protect availability. The firm can restore the file server and the mail store from backup, and the case-management platform will look identical to what it looked like on day 46. The material is still on the attacker's server. Restoring from backup does not un-exfiltrate what has already been read.
Multi-factor authentication protects the sign-in event. In FBI-reported business email compromise cases where investigators reconstructed the initial intrusion, over 80 percent of victims had multi-factor authentication enabled at the time of compromise. Adversary-in-the-middle phishing pages, sold as commercial kits, capture the session cookie after multi-factor authentication passes. The attacker holds the session for the length of the session lifetime, which on default Microsoft 365 or Google Workspace configurations runs into weeks.
The Law Society disclosure obligation triggers on the confidentiality breach, not on the ransomware deployment. Whether the firm pays the ransom or restores from backup, the disclosure duty to affected clients and to the regulator is the same. The reputational and regulatory outcome is set at the moment the attacker reads the first privileged document.
The actionable question is not "how do we recover after the ransom message?" The actionable question is: how did the attacker get 47 days of resident access to privileged material?
The 47-day reconnaissance chain
Attackers do not choose target firms at random. The pattern below is documented across ransomware advisory reports from the Canadian Centre for Cyber Security, the FBI Internet Crime Complaint Center, and the major incident-response firms.
Step one: identity mapping from public records
Small and mid-size law firms are among the most exhaustively documented professional-services businesses in Canadian public data. Law Society directories publish every practising lawyer's name, bar admission date, firm affiliation, and primary practice area. Court rolls list every practitioner appearing in a jurisdiction. Firm websites publish biographies, direct dial numbers, and email addresses. Corporate registries expose the firm's directors and principal address. Aggregated across these sources, an attacker can construct a complete personnel and workflow map of the firm before any technical activity begins.
Step two: breach-database credential correlation
With names and email addresses identified, attackers query breach databases for credential exposures matching those addresses. The current password is rarely the goal. Historical passwords across a decade of consumer data breaches produce patterns. A partner who used a variant of the same password on a professional network in 2016, on a design suite in 2013, and on a file-hosting service in 2012 is telegraphing exactly how they construct passwords in 2026. Most law-firm staff email accounts are protected by passwords that a determined attacker can guess inside a small number of attempts once the historical pattern is known.
Step three: adversary-in-the-middle multi-factor authentication bypass
The industry has moved to multi-factor authentication on business email. This does not stop the reconnaissance. Adversary-in-the-middle phishing pages proxy the real sign-in flow. The user completes the multi-factor authentication challenge. The attacker captures the resulting session cookie. From that point forward the attacker holds an authenticated session for as long as the tenant's session lifetime allows, and the sign-in event looks normal in the audit log because it was a real sign-in that the real user completed.
Step four: persistence through inbox rules and OAuth grants
Once inside, the attacker does not sit visibly logged in. They create inbox rules that auto-forward specific message threads to an external address. They grant themselves an OAuth token to a third-party application the firm has never used, which survives the user changing their password. They register a rogue device under the user's account. Each of these persistence mechanisms is invisible to a user checking their normal Outlook or Gmail view. None of them show up as an alert unless someone is auditing the tenant for exactly those artefacts.
Step five: silent exfiltration for weeks
By week two of the compromise, the attacker has identified which mailboxes hold the high-value material. Partner accounts. The clerk who manages retainer trust deposits. The associate handling the largest active file. The attacker reads, categorises, and copies material to an external server on a schedule that matches normal user activity so the outbound traffic pattern does not stand out. On the majority of small-firm tenants, there is no data loss prevention policy monitoring outbound message content, and the attacker's exfiltration is not detected until they announce it.
Step six: the ransom message
On day 47, the attacker deploys the encryption payload and sends the ransom message. By this point the exfiltrated material has been reviewed, indexed, and prepared for either public leak or private sale. Payment of the ransom does not recover the copied material. It only stops the public disclosure timer.
What every small firm's external surface reveals
The reconnaissance chain relies on data the firm already publishes, plus data that leaked in incidents outside the firm's control. Neither is fixable through backup improvements. Both are addressable through configuration.
Across the professional-services landscape LeakTrace analyses, three exposures show up on almost every small-firm external surface, and each one shortens the attacker's path by weeks.
Missing or misconfigured email authentication
DMARC, SPF, and DKIM are the three DNS records that determine whether an inbound mail server will accept a message claiming to be from the firm's domain. On most small-firm domains, at least one of these records is missing, weakly configured, or set to a permissive mode that does not enforce rejection. When email authentication is not enforced, an attacker impersonating the firm can send from anywhere and the recipient's mail server has no information to reject.
Executive personal data on public broker sites
Senior partners' home addresses, phone numbers, family relationships, and property history are aggregated by data broker sites, republished, and made searchable. This is the material used to construct pretext phone calls to clerks, to bypass "verify with a person you know" controls, and to add the personal detail that makes a phishing message land in the partner's actual inbox. Removal at the broker level once does not durably fix this. The brokers re-scrape public records every thirty to ninety days and the data reappears.
Weak conditional access on business email
Default Microsoft 365 and Google Workspace configurations grant session lifetimes measured in weeks, allow sign-ins from any country, and do not require re-authentication when the client fingerprint changes. Every one of those defaults is configurable. Almost none of them are configured on typical small-firm tenants.
None of these exposures require a breach to fix. Each one is a configuration decision.
What actually stops the 47-day compromise
The controls that break the reconnaissance chain sit in the window before the ransom message, not the hours after it.
Enforce DMARC at reject. Rotate DKIM keys on a fixed schedule. Publish MTA-STS so mail servers accepting messages from the firm's domain use encrypted transport. These changes take a knowledgeable IT contact under two hours and require no purchases.
Configure conditional access on business email to reject sign-ins from countries the firm does not operate in. Set session lifetime to a value measured in hours, not weeks. Require re-authentication when the sign-in fingerprint changes. Enrol every mailbox in phishing-resistant multi-factor authentication, not SMS.
Audit every mailbox in the tenant for user-defined rules that forward externally, move messages on financial or matter-related keywords, or hide replies from specific senders. This is the single highest-yield check for detecting an in-progress compromise. In every documented business email compromise case, the attacker created one of these rules to maintain persistence. Reviewing the ruleset takes a mail administrator about an hour per tenant.
Enable data loss prevention rules on outbound messages so that the pattern of "hundreds of megabytes of PDF attachments sent to a personal address never previously in the send graph" produces an alert instead of no signal at all.
Continuously monitor senior partners' personal data across the North American data broker landscape and submit removal requests through each site's opt-out flow. This is a subscription operation. Attempted once and abandoned, it decays inside sixty days.
Why this matters now
The Law Society disclosure obligation on a small firm does not care whether the encryption payload deployed successfully or the backup restored cleanly. It cares that a confidentiality breach happened. In the operation described at the top of this briefing, the disclosure duty attached on day one of the 47-day window. Everything after that was the attacker deciding when to force the firm to disclose.
Small firms that want to actually reduce exposure have to intervene at the reconnaissance stage. That means treating the external attack surface, the credential exposure landscape, the executive personal data footprint, and the tenant's own persistence-mechanism surface as continuously monitored surfaces. It also means auditing mailboxes on a schedule that reflects the attacker's operational tempo, not the firm's calendar.
The exposure is already indexed. The question is whether the firm has mapped its own footprint before the attacker did.